NoScript and Spectre-Meltdown

General discussion about the NoScript extension for Firefox
Post Reply
kukla
Senior Member
Posts: 317
Joined: Mon May 04, 2009 12:08 am

NoScript and Spectre-Meltdown

Post by kukla »

If I'm not mistaken, attack vector is via JavaScript. Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?

*No guarantee there either, since even those can sometimes be hacked.
Mozilla/5.0 (iPad; CPU OS 9_3_5 like Mac OS X) AppleWebKit/601.1.46 (KHTML, like Gecko) Version/9.0 Mobile/13D15 Safari/601.1
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and Sceptre-Meltdown

Post by Giorgio Maone »

kukla wrote:If I'm not mistaken, attack vector is via JavaScript.
Correct, that's the easiest way to remotely exploit Spectre.
kukla wrote: Can NoScript offer protection beyond browsing mostly with JS disabled, except for completely known, trusted sites?* Any particular suggestions for protection with NoScript?
*No guarantee there either, since even those can sometimes be hacked.
The same rules suggest to prevent any JS-exploitable vulnerability, "known or not known yet" as advertised:
  1. limit your whitelist to HTTPS-only matcheds sites (green closed lock icon), because otherwise an attacker controlling your network could inject its malicious payload inside random unencrypted pages.
  2. keep the XSS filter enabled, otherwise an attacker could exploit a XSS vulnerability in a trusted site to inject its malicious payload in it, even if encrypted
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
jawz101
Senior Member
Posts: 71
Joined: Sun Jul 10, 2011 11:13 pm

Re: NoScript and Spectre-Meltdown

Post by jawz101 »

@Giorgio- is web assembly a separate technology that will one day need protections?
Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0
User avatar
Giorgio Maone
Site Admin
Posts: 9454
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: NoScript and Spectre-Meltdown

Post by Giorgio Maone »

jawz101 wrote:@Giorgio- is web assembly a separate technology that will one day need protections?
Web Assembly is subject to the same rules/restrictions as JavaScript (they share the same runtime, but by writing web assembly you're able to better model your performance optimization at a lower abstraction level).
So NoScript covers is just like it covers JavaScript.
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:57.0) Gecko/20100101 Firefox/57.0
Post Reply